Malware analysis SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe Malicious activity

Add for printing

File name:	SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe
Full analysis:	https://app.any.run/tasks/f7ec49bf-cca4-4819-88a1-02fce1d57a5a
Verdict:	Malicious activity
Analysis date:	June 27, 2025, 03:06:23
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-exec
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:	BC4A177C57AD2439DE08F86738E026B5
SHA1:	14DFAA2069E01EB0C8973D4DC7043BF2CA153572
SHA256:	FFF7E97A5C76A9C197BA2BA9419BA34162859A265C6A1E568E9022B56EC1B64C
SSDEEP:	98304:zP6KSoi+6TcFr5E36nyyxDRj3GVn+Ul5XSwogze6CYIiTfli2vV9Mh8MRo2w+uUq:bAeWG9+x64GI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Registers / Runs the DLL via REGSVR32.EXE
  - NeroInstaller.exe (PID: 700)
- Changes the autorun value in the registry
  - NeroInstaller.exe (PID: 700)
- Starts NET.EXE for service management
  - net.exe (PID: 592)
  - cmd.exe (PID: 2216)
SUSPICIOUS
- Reads Internet Explorer settings
  - SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe (PID: 6356)
  - NeroInstaller.exe (PID: 700)
- Reads security settings of Internet Explorer
  - SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe (PID: 6356)
  - NeroInstaller.exe (PID: 700)
  - NBService.exe (PID: 1896)
- Executable content was dropped or overwritten
  - SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe (PID: 6356)
  - NeroInstaller.exe (PID: 700)
- Creates a software uninstall entry
  - NeroInstaller.exe (PID: 700)
- Creates/Modifies COM task schedule object
  - regsvr32.exe (PID: 7076)
  - NeroInstaller.exe (PID: 700)
  - regsvr32.exe (PID: 6840)
  - regsvr32.exe (PID: 3504)
- Process drops legitimate windows executable
  - NeroInstaller.exe (PID: 700)
- The process creates files with name similar to system file names
  - NeroInstaller.exe (PID: 700)
- Searches for installed software
  - NeroInstaller.exe (PID: 700)
- The process drops C-runtime libraries
  - NeroInstaller.exe (PID: 700)
- Creates a new Windows service
  - sc.exe (PID: 3780)
- Sets the service to start on system boot
  - sc.exe (PID: 7004)
- Windows service management via SC.EXE
  - sc.exe (PID: 6016)
  - sc.exe (PID: 3160)
- Executes as Windows Service
  - NBService.exe (PID: 1896)
- Starts CMD.EXE for commands execution
  - NeroInstaller.exe (PID: 700)
INFO
- Reads the computer name
  - SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe (PID: 6356)
  - NeroInstaller.exe (PID: 700)
  - NeroInfo.exe (PID: 6796)
  - NBService.exe (PID: 1896)
- Checks supported languages
  - SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe (PID: 6356)
  - NeroInstaller.exe (PID: 700)
  - NBService.exe (PID: 1896)
  - NeroInfo.exe (PID: 6796)
- Reads the software policy settings
  - SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe (PID: 6356)
  - NeroInstaller.exe (PID: 700)
  - NBService.exe (PID: 1896)
- Creates files in the program directory
  - SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe (PID: 6356)
  - NeroInstaller.exe (PID: 700)
- Create files in a temporary directory
  - NeroInstaller.exe (PID: 700)
  - SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe (PID: 6356)
- Creates files or folders in the user directory
  - SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe (PID: 6356)
- Checks proxy server information
  - SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe (PID: 6356)
  - NeroInstaller.exe (PID: 700)
- Reads the machine GUID from the registry
  - SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe (PID: 6356)
  - NeroInstaller.exe (PID: 700)
  - NBService.exe (PID: 1896)
- The sample compiled with english language support
  - NeroInstaller.exe (PID: 700)
  - SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe (PID: 6356)
- The sample compiled with german language support
  - NeroInstaller.exe (PID: 700)
- Process checks computer location settings
  - NeroInstaller.exe (PID: 700)
- The sample compiled with spanish language support
  - NeroInstaller.exe (PID: 700)
- The sample compiled with french language support
  - NeroInstaller.exe (PID: 700)
- The sample compiled with polish language support
  - NeroInstaller.exe (PID: 700)
- The sample compiled with Italian language support
  - NeroInstaller.exe (PID: 700)
- The sample compiled with russian language support
  - NeroInstaller.exe (PID: 700)
- The sample compiled with japanese language support
  - NeroInstaller.exe (PID: 700)
- The sample compiled with swedish language support
  - NeroInstaller.exe (PID: 700)
- The sample compiled with portuguese language support
  - NeroInstaller.exe (PID: 700)
- SQLite executable
  - NeroInstaller.exe (PID: 700)
- The sample compiled with korean language support
  - NeroInstaller.exe (PID: 700)
- The sample compiled with turkish language support
  - NeroInstaller.exe (PID: 700)
- Launching a file from a Registry key
  - NeroInstaller.exe (PID: 700)
- The sample compiled with czech language support
  - NeroInstaller.exe (PID: 700)
- The sample compiled with chinese language support
  - NeroInstaller.exe (PID: 700)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.dll	\|	Win32 Dynamic Link Library (generic) (43.5)
.exe	\|	Win32 Executable (generic) (29.8)
.exe	\|	Generic Win/DOS Executable (13.2)
.exe	\|	DOS Executable Generic (13.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:10:29 06:01:53+00:00
ImageFileCharacteristics:	Executable, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	14
CodeSize:	1442304
InitializedDataSize:	7006720
UninitializedDataSize:	-
EntryPoint:	0x11003a
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	3.0.1.8
ProductVersionNumber:	3.0.1.8
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Dynamic link library
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Nero AG
FileDescription:	NeroInstaller
FileVersion:	3.0.1.8
InternalName:	NeroInstaller
LegalCopyright:	Copyright (c) 2003-2024 Nero AG and its licensors
OriginalFileName:	backitup2025
ProductName:	NeroInstaller
ProductVersion:	3.0.1.8

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

188

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

436

"C:\Windows\System32\cmd.exe" /c "assoc .nda="Nero.BackItUp.2026.nda.1""

C:\Windows\SysWOW64\cmd.exe

—

NeroInstaller.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

516

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

592

net Start NeroBackItUpBackgroundService2026

C:\Windows\SysWOW64\net.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Net Command

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

700

"C:\Users\admin\AppData\Local\Temp\SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe" /noselfupdate /installid backitup2025 /nomutexcheck

C:\Users\admin\AppData\Local\Temp\NeroInstaller\backitup2025\temp\NeroInstaller\NeroInstaller.exe

SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe

User:

admin

Company:

Nero AG

Integrity Level:

HIGH

Description:

NeroInstaller

Version:

3.0.2.1

Modules

Images
c:\users\admin\appdata\local\temp\neroinstaller\backitup2025\temp\neroinstaller\neroinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

1036

"C:\Windows\System32\cmd.exe" /c "assoc .nba="Nero.BackItUp.2026.nba.1""

C:\Windows\SysWOW64\cmd.exe

—

NeroInstaller.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

1128

"C:\Windows\System32\cmd.exe" /c "sc description NeroBackItUpBackgroundService2026 "Nero BackItUp Service 2026 to provide web service, MTP connection service and file system watcher""

C:\Windows\SysWOW64\cmd.exe

—

NeroInstaller.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

1136

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1332

"C:\Windows\System32\cmd.exe" /c "sc create NeroBackItUpBackgroundService2026 binPath= "C:\Program Files (x86)\Nero\Nero 2025\Nero BackItUp\NBService.exe""

C:\Windows\SysWOW64\cmd.exe

—

NeroInstaller.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

1644

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1896

"C:\Program Files (x86)\Nero\Nero 2025\Nero BackItUp\NBService.exe"

C:\Program Files (x86)\Nero\Nero 2025\Nero BackItUp\NBService.exe

services.exe

User:

SYSTEM

Company:

Nero AG

Integrity Level:

SYSTEM

Description:

Version:

27.0.1.2

Modules

Images
c:\program files (x86)\nero\nero 2025\nero backitup\nbservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

Add for printing

Total events

10 727

Read events

10 511

Write events

150

Delete events

Modification events


(PID) Process:	(6356) SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6356) SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6356) SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(700) NeroInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Nero\Nero Launcher
Operation:	write	Name:	installPath
Value: C:\Program Files (x86)\Nero
(PID) Process:	(700) NeroInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Nero\Nero 10\Shared
Operation:	write	Name:	SendUsageStatistics
Value: 1
(PID) Process:	(700) NeroInstaller.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(700) NeroInstaller.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(700) NeroInstaller.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(700) NeroInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Installer\neropack\226
Operation:	write	Name:	C:\Program Files (x86)\Nero\Nero Common\Nero KnowHow PLUS\NeroKnowHowPLUS.exe
Value: 2025-06-27 03:06:37
(PID) Process:	(700) NeroInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_96DPI_PIXEL
Operation:	write	Name:	NeroKnowHowPLUS.exe
Value: 1

Add for printing

Executable files

214

Suspicious files

Text files

121

Unknown types

Dropped files

PID	Process	Filename		Type
6356	SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\439F613B3D55693954E1B080DE3085B4_13A9E648A032C61467BDA0380F67EA43		binary
		MD5:C29915BB0BBD48749287EFC7CE0840D4	SHA256:2E6339C2132F541FAB7B792C44359301C9225CE2D43C6C2B3D09A194DD188D7D
700	NeroInstaller.exe	C:\Program Files (x86)\Nero\Nero Common\AdvrCntr6\Eula_Nero_de-DE.rtf		text
		MD5:F1924C8009E3F2B7AA22E313625CDF59	SHA256:F605AC320C3F69E06868E532D83F652EBAE162535327570468B106743F7988F8
700	NeroInstaller.exe	C:\Users\admin\AppData\Local\Temp\NeroInstaller\backitup2025\Guide.zip		compressed
		MD5:FDB47AF94B0A266B2005CDA2EFBD3D09	SHA256:59E1A916AFD015A7F73C44C5CF0ED15E39877462620A28F4C932C8A4427D9CD5
700	NeroInstaller.exe	C:\Program Files (x86)\Nero\Nero Common\AdvrCntr6\Eula_Nero_en-US.rtf		text
		MD5:32323FDCC22CFBE3F3FD3ED49ADCC368	SHA256:D8CD4C9CEFC18B62DCE1E441C18002328962FEF8FBA2AE890EDE1BA4BDAF2153
700	NeroInstaller.exe	C:\Users\admin\AppData\Local\Temp\NeroInstaller\backitup2025\advrcntr6.zip		compressed
		MD5:24EC6AE4342C1CFFACBA193B218F44B8	SHA256:561D672E263A26732DADF23F79C8F32A544E8286010BC371071A6BB9A4F2F1FC
6356	SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94929790B3119AF4B3F5D66C747B122B_BD89444E43F6E3DA573BAF8E3E423D8B		binary
		MD5:68A41DD26E033FD408DB7B64C3594638	SHA256:D02C34B2036CF5843DF59F07C65912B87AC99C16E2863E3AEA0C54052D893793
6356	SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe	C:\Users\admin\AppData\Local\Temp\NeroInstaller\backitup2025\25_06_27_03-06AM.Log		binary
		MD5:BC060FA97F48DDC81E5599A0D2E49FF1	SHA256:EC156E1AB023D89CFE6458C5F727107CCC6C91D045B6C403EB395C31B02C8D30
700	NeroInstaller.exe	C:\Program Files (x86)\Nero\Nero Common\Nero KnowHow PLUS\NeroKnowHowPLUS.exe		executable
		MD5:04FD1BF1F505B65B4D8BDF442D860D8C	SHA256:247683BD026897E3FE28BA1CE0D603D0A2C8FCA15F125AE7757E67B8E95E8297
700	NeroInstaller.exe	C:\Program Files (x86)\Nero\Nero Common\Nero KnowHow PLUS\neropack_dc60z7th.json		binary
		MD5:72B87A3674225BF3EEE85FF910E8402F	SHA256:08277CC107BB379EE9F32399472FCFBD3F54B7E030A362641929B6A52DE5B9D4
6356	SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94929790B3119AF4B3F5D66C747B122B_BD89444E43F6E3DA573BAF8E3E423D8B		binary
		MD5:4B6B77733B4CFC3496C034593A6CB8AD	SHA256:3D1342B3C9717FDA298AB8745FB380DCA935C1BC8F3258670AD9E6A0FC085554

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6356	SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe	GET	200	151.101.130.133:80	http://ocsp2.globalsign.com/rootr6/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRi%2B7TJbHYn9EmJ9W03lecB7P%2BG7QQUrmwFo5MT4qLn4tcc1sfwf8hnU6ACEH8fLJAug9Djtvs77keLXoA%3D	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1896	NBService.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D	unknown	—	—	whitelisted
5348	SIHClient.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6356	SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe	GET	200	151.101.130.133:80	http://ocsp.globalsign.com/gsgccr6alphasslca2023/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBTYuQbxgZqJCf3D06HBxH57o5XEXgQUvQW384qTPHPLefoPhRKhd5YYkXQCDAOORurIgzWKgTZF1Q%3D%3D	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5348	SIHClient.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
1896	NBService.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D	unknown	—	—	whitelisted
7072	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
1896	NBService.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAOV16x4tv63%2BNrFGfqWiR4%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5944	MoUsoCoreWorker.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3572	RUXIMICS.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6356	SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe	193.24.237.217:443	login.nero.com	Die Netz-Werker Systemmanagement und Datennetze AG	DE	whitelisted
6356	SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe	193.24.239.229:443	www.nero.com	Die Netz-Werker Systemmanagement und Datennetze AG	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6356	SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe	205.234.175.175:443	dl9.nero.com	CACHENETWORKS	US	whitelisted
6356	SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe	151.101.130.133:80	ocsp2.globalsign.com	FASTLY	US	whitelisted
700	NeroInstaller.exe	193.24.237.217:443	login.nero.com	Die Netz-Werker Systemmanagement und Datennetze AG	DE	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.186.78	whitelisted
login.nero.com	193.24.237.217	whitelisted
www.nero.com	193.24.239.229	whitelisted
dl9.nero.com	205.234.175.175	whitelisted
ocsp2.globalsign.com	151.101.130.133 151.101.194.133 151.101.2.133 151.101.66.133	whitelisted
ocsp.globalsign.com	151.101.130.133 151.101.194.133 151.101.2.133 151.101.66.133	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
login.live.com	40.126.31.0 40.126.31.130 40.126.31.2 40.126.31.128 20.190.159.23 40.126.31.3 20.190.159.128 20.190.159.130	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted
settings-win.data.microsoft.com	20.73.194.208	whitelisted

Threats

PID	Process	Class	Message
—	—	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)

Add for printing

Process	Message
SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe	Stub Installer [6380] [2025-06-27 03:06:29.296] Debug "C:\Users\admin\AppData\Local\Temp\SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe"
SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe	Stub Installer [6380] [2025-06-27 03:06:29.593] Debug Installer ID:backitup2025
SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe	Stub Installer [6380] [2025-06-27 03:06:29.593] Debug SilentMode:0 strInstallPath: UseExtension:1
SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe	Stub Installer [6380] [2025-06-27 03:06:29.608] Debug Make NTIU Registry Writeable:1
SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe	Stub Installer [6688] [2025-06-27 03:06:30.061] Info Start Update Check - url: https://login.nero.com/api/update/check
SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe	Stub Installer [6688] [2025-06-27 03:06:30.202] Info Update Check Done, It is force update, update it.
SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe	Stub Installer [6380] [2025-06-27 03:06:30.780] Debug File content length: 6284065, Http response Code 200:
SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe	Stub Installer [6380] [2025-06-27 03:06:31.218] Debug File https://www.nero.com/download.php?id=0_250320253021_neroinstaller, Http response Code 200:
SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe	Stub Installer [6380] [2025-06-27 03:06:31.249] Debug Download self Succ.
NeroInstaller.exe	Stub Installer [6528] [2025-06-27 03:06:31.640] Debug "C:\Users\admin\AppData\Local\Temp\SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe" /noselfupdate /installid backitup2025 /nomutexcheck

General Info

SharewareOnSale_Giveaway_Nero_BackItUp_PRO.exe

BC4A177C57AD2439DE08F86738E026B5

14DFAA2069E01EB0C8973D4DC7043BF2CA153572

FFF7E97A5C76A9C197BA2BA9419BA34162859A265C6A1E568E9022B56EC1B64C

98304:zP6KSoi+6TcFr5E36nyyxDRj3GVn+Ul5XSwogze6CYIiTfli2vV9Mh8MRo2w+uUq:bAeWG9+x64GI

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Registers / Runs the DLL via REGSVR32.EXE

Changes the autorun value in the registry

Starts NET.EXE for service management

SUSPICIOUS

Reads Internet Explorer settings

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Creates a software uninstall entry

Creates/Modifies COM task schedule object

Process drops legitimate windows executable

The process creates files with name similar to system file names

Searches for installed software

The process drops C-runtime libraries

Creates a new Windows service

Sets the service to start on system boot

Windows service management via SC.EXE

Executes as Windows Service

Starts CMD.EXE for commands execution

INFO

Reads the computer name

Checks supported languages

Reads the software policy settings

Creates files in the program directory

Create files in a temporary directory

Creates files or folders in the user directory

Checks proxy server information

Reads the machine GUID from the registry

The sample compiled with english language support

The sample compiled with german language support

Process checks computer location settings

The sample compiled with spanish language support

The sample compiled with french language support

The sample compiled with polish language support

The sample compiled with Italian language support

The sample compiled with russian language support

The sample compiled with japanese language support

The sample compiled with swedish language support

The sample compiled with portuguese language support

SQLite executable

The sample compiled with korean language support

The sample compiled with turkish language support

Launching a file from a Registry key

The sample compiled with czech language support

The sample compiled with chinese language support

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules